Virus Update
07-21-2006, 07:58 PM
#1
Members
Senior Members
Thread Starter
Hi Guys,
I'm posting an update here about this virus situation rather than replying to the three other topics seperately. Basically the situation is such:
The first time we had this virus issue it was apparently the fault of an exploit in IPB 2.1.6 for which they released a 2.1.7 version to correct the problem, which I updated the site to that same day. I wasn't able to get httpd logs of how the board was modified since they cycle daily at midnight and I got back that night to fix it around 1 AM the next morning.
In any case, this afternoon, even with the most current IPB board version it happened yet again. The difference now is that I was able to get the http logs to see exactly what happened. I don't have the exact details yet but basically the main board header was modified to include some HTML code which loads another web site containing this java script related virus. There's no virus problem on this server at all. Now, the kicker is that the header was modified through the Admin interface which ofcourse only Dave (das) and I (Lomag) have access to. I'm not able to see what login name was used to log in to the admin page due to poor logging in this board in that regard but most likely it was neither of us and proably another bug in this software. We have their IP address which doesn't match any members or posts on the board at all.
So the question is: what can be done to prevent this from happening again? Well, I acctually have good news in regards to this question. The steps I've taken are:
1. I've opened up a new ticket with the IPB folks notifying them of this problem and how I could retrieve more information on what login that person used to get into the admin interface, and how we could fix this.
2. Just incase, both Dave and I have reset our member passwords.
3. I've firewalled the entire ISP of the person who did this (this won't affect any current members) from reaching the web site entirely.
4. Most importantly, I've restricted access to the admin page to basically my and Dave's IP addresses ONLY so if anyone else tries to access the admin page, even with a valid login/password, it's just not going to even work, denying them access from the get-go.
With #4 implemented I'm about 99.9% confident that this virus issue won't come up again. I for one can't believe its happened for a second time but these PHP programs/scripts are so complex and the world of exploits is so large, anything can happen. Perhaps what pisses me off the most is that today is my birthday, July 21st, and well, this is not exactly the type of thing I want to come home to.
So, with a fix in place, I'll await a reply from the IPB folks, who created this software, and we'll go from there. One key point I'd like to emphasize is that this problem not only affects our board here but every other board running this IPB software as well so I'm doing the best I can given the circumstances.
I'm posting an update here about this virus situation rather than replying to the three other topics seperately. Basically the situation is such:
The first time we had this virus issue it was apparently the fault of an exploit in IPB 2.1.6 for which they released a 2.1.7 version to correct the problem, which I updated the site to that same day. I wasn't able to get httpd logs of how the board was modified since they cycle daily at midnight and I got back that night to fix it around 1 AM the next morning.
In any case, this afternoon, even with the most current IPB board version it happened yet again. The difference now is that I was able to get the http logs to see exactly what happened. I don't have the exact details yet but basically the main board header was modified to include some HTML code which loads another web site containing this java script related virus. There's no virus problem on this server at all. Now, the kicker is that the header was modified through the Admin interface which ofcourse only Dave (das) and I (Lomag) have access to. I'm not able to see what login name was used to log in to the admin page due to poor logging in this board in that regard but most likely it was neither of us and proably another bug in this software. We have their IP address which doesn't match any members or posts on the board at all.
So the question is: what can be done to prevent this from happening again? Well, I acctually have good news in regards to this question. The steps I've taken are:
1. I've opened up a new ticket with the IPB folks notifying them of this problem and how I could retrieve more information on what login that person used to get into the admin interface, and how we could fix this.
2. Just incase, both Dave and I have reset our member passwords.
3. I've firewalled the entire ISP of the person who did this (this won't affect any current members) from reaching the web site entirely.
4. Most importantly, I've restricted access to the admin page to basically my and Dave's IP addresses ONLY so if anyone else tries to access the admin page, even with a valid login/password, it's just not going to even work, denying them access from the get-go.
With #4 implemented I'm about 99.9% confident that this virus issue won't come up again. I for one can't believe its happened for a second time but these PHP programs/scripts are so complex and the world of exploits is so large, anything can happen. Perhaps what pisses me off the most is that today is my birthday, July 21st, and well, this is not exactly the type of thing I want to come home to.
So, with a fix in place, I'll await a reply from the IPB folks, who created this software, and we'll go from there. One key point I'd like to emphasize is that this problem not only affects our board here but every other board running this IPB software as well so I'm doing the best I can given the circumstances.
07-21-2006, 08:08 PM
#2
Super Moderator
Join Date: Mar 2004
Location: Pittsburgh, PA USA
Posts: 17,310
Likes: 0
Received 2 Likes
on
2 Posts
My Ride: G30 M550i
Model Year: 2018
Lomag, I've been researching this bug for the last half-hour or so. It seems that the script that was used against version 2.1.6 was able to actually create a new admin account. That's how they were able to do it without you or das' account credentials...
Supposedly, the 2.1.7 version you're now running will fix this latest bug -- hopefully there won't be a new one next Friday night!!
Thanks for taking such good care of things Lomag!!
Note to Windows users: PATCH YOUR COMPUTERS!! If they're patched, this java/trojan will not harm you...
If you ask me, it's scarier that the hacker has the ability to create an admin account on this board...
Supposedly, the 2.1.7 version you're now running will fix this latest bug -- hopefully there won't be a new one next Friday night!!
Thanks for taking such good care of things Lomag!!
Note to Windows users: PATCH YOUR COMPUTERS!! If they're patched, this java/trojan will not harm you...
If you ask me, it's scarier that the hacker has the ability to create an admin account on this board...
07-21-2006, 08:11 PM
#3
Members
Senior Members
Thread Starter
There's no other admin account's except das and I which I've verified. The board was running 2.1.6 in the past which was updated to 2.1.7 on July 15th. I'm beginning to think that somehow some hidden account was created during that 2.1.6 exploit and it's still left over. But again, with the fixes I've put in, it'll put a rest to the problem until we can figure out exactly what the deal is.
07-21-2006, 08:55 PM
#5
Contributors
Join Date: Oct 2004
Location: So Cal, USA
Posts: 14,776
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 545iSMGSilver GrayAuburn Dakota LeatherLogic 7 Premium SoundSports Package
Originally Posted by Rudy' post='313827' date='Jul 21 2006, 09:08 PM
Note to Windows users: PATCH YOUR COMPUTERS!! If they're patched, this java/trojan will not harm you...
Thanks for all the hard work guys.
and Happy B-Day Lomag!!!
07-21-2006, 09:55 PM
#6
Contributors
Join Date: Feb 2006
Location: So. Cal 626
Posts: 1,626
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2007 550i White/Black, SMG, Sports Pkg, Comfort Access, Nav, HUD, Satellite Radio, Anthracite Maple Trim
2006 X5 3.0, Black/Black, Sports Pkg, Premium Pkg, Xenon Adaptive Headlight, NAV, Rear Climate Pkg, Anthracite Trim
Great job Lomag and Happy Birthday
and Happy Birthday
07-22-2006, 12:56 AM
#7
Members
Join Date: Jul 2005
Location: Stockholm, Sweden
Posts: 243
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: Booked: E70n X5 40d M. Carbonblack, oyster, comfortseats, Nav Pro, Active Drive, Panoramic, Hifi PRO DSP, HUD, Alutrim, Satin ext, gloss rails, towconnector, elctric lid, alarm and more.
FS: E61 535D -06, Activesteering, Comfort seats, Hifi, M-steeringwheel, PDC, Rails, Tinted windows, Folding mirrors, Towconnector, Alu trims, Panoramic roof, ISO FIX, SonyEricsson BT-HF, 124 wheels, Alarm, Electric lid, Aburn interior, Xenons, Silvergrey and the crappy cupholders!!!
Great work!!
07-22-2006, 01:59 AM
#8
Super Moderator
Join Date: May 2004
Location: FL
Posts: 18,253
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: F02 LCI Individual
Model Year: 2013
Originally Posted by Lomag' post='313823' date='Jul 22 2006, 05:58 AM
...today is my birthday, July 21st, and well, this is not exactly the type of thing I want to come home to. ...
...
Happy birthday, Lomag!
And thank you for fixing it again.
07-22-2006, 02:37 AM
#9
Contributors
Join Date: Apr 2005
Location: MIAMI B*CH
Posts: 6,959
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: MY RIDE is DA real .-) HAMANN 5 aka BLACK MAMBA born on 16/06/2005/delivered on 05/08/2005 as following:
530dA (steptronic), Black II (JET), leather Dakota auburn black, mapple trim, head-up display, dynamic drive, active steering, adaptive xenon headlights (auto levelling) with headlight washers, alarm, comfort seats with massage function, advanced A/C, big compartment armrest, aux-in, MP3, Logic 7, Radio PRO, CD in-dash+cd changer, power rear sunshades, rear airbags, park distance control, auto dimming folding mirrors, smoking package, shiny shadow line (individual), fold down rear seats, ski bag, sport suspension, run flats on �116-style� rims (Good Year NCT5+), cup holders, debadged, fire extinguishers, additional permanent power outlet, BMW coat hanger, trunk release button (installed by Hobi), GPS tracking device and a big thx 2 Iceman.
Mods done:
� Authentic HAMANN FRONT APRON Including ellipsoid fog lights Item-No.: 10 060 110
� Authentic HAMANN REAR SPOILER Item-No.: 10 060 130,
� Authentic HAMANN HAMANN ALUMINIUM PEDALS For cars with manual gearbox Item-No.: 80 099 100 81,00 For cars with automatic transmission Item-No.: 80 099 120
� Authentic HAMANN FOOT REST In aluminium For left-hand drive vehicles Item No. : 80 099 122
� Authentic HAMANN HAND-BRAKE LEVER In aluminium For left- and right-hand drive cars Item No. : 80 099 216
� Authentic HAMANN Idrive of alu (sorry this is the only one in the World) but you can have it in carbon fiber ,
� Authentic HAMANN EXCLUSIVE FLOORMAT SET In black with HAMANN logo in silver For left-hand drive cars Item-No. : 80 060 120 For right-hand drive cars Item-No. : 80 060
� Authentic HAMANN COVER FOR OIL FILLER CAP In aluminium Item-No.: 80 099 117
� Authentic HAMANN SPORT REAR MUFFLER 4 TAILPIPES Sport rear muffler with four round stainless-steel tailpipes ( � 76mm ) Item-No.: 50 060 111
� Authentic HAMANN new add-on for M pack rear with diffusor for quad pipes -AVAILABLE NOW (http://forums.e60.net/index.php?act=ST&f=22&t=30630&st=0#entry332409)
� ///M steering wheel w Pegasus logo (this will be also changed to three spoke sports)
� ///M pack rear
� HAMANN ECU upgrade 265 HP 608 Nm.
most improtant:
�real and working like a charm forumsbuy real LED tails and PIAA 4700k fogs!!! for HAMANN full front apron you need H3
� CustomAngels, Angel Eyes Brighter than stocks 10X, WHITE & (REd for shows).
� Authentic HAMANN LIGHT-ALLOY WHEELS DESIGN EDITION RACE 20"
Ultra-light forged 3-pieced light-alloy wheel, Cross-spoke-design,Spider in black, titanium, screwing,polished flange
DIMENSIONS : 9.0 J x 20 FA Item No.: 91 207 315
10.5 J x 20 only RA Item No.: 91 207 625
Recommended 20" Complete Wheel Set DESIGN EDITION RACE I went with most aggressive Combination A.10 FA 9.0 J x 20 / RA 10.5 J x 20 with tires: FA 245/30 ZR 20 / RA 285/25 ZR 20
� Authentic HAMANN LOWERING KIT 4 progressive sport springs Lowering by approx. 40 mm FA, 20 mm RA Item-No.: 20 060 125
� Authentic HAMANN TIRE - PRESSURE CHECK SENSOR SYSTEM
� Authentic HAMANN SIDE SILLS Item-No.: 10 060 120
� Authentic HAMANN REAL CF ROOF SPOLIER Item-No.: 10 060 235
� Authentic HAMANN AIRBAG SPORT STEERING WHEEL 3-SPOKE Three-spoke design w their SMG paddles (For assembly O.E. airbag in exchange)
� Authentic HAMANN sports mirrors (all functions)
!!!!!!!!!!!!!!!!!!! and of course !!!!!!!!!!!!!!!!!
E60.net Clings
Still to do list;-):
� Our Hobi's camera system from : ww.switchchange.com).
� Individual leather interior (auburn+auburn alcantara)... and drive with sheer drivin' pleasure ... until 2009/2010 F10 comes or E60 possibly a 540d V8 diesel early in 2009 badly juiced!
Originally Posted by Iceman' post='313873' date='Jul 22 2006, 11:59 AM
What a great birthday present from Das.
Happy birthday, Lomag! Attachment 21900 Attachment 21901
And thank you for fixing it again.
Happy birthday, Lomag! Attachment 21900 Attachment 21901
And thank you for fixing it again.
